Computer information systems have an important role to play in modern society. However, there has also been a notable increase in recent years in the number of computer threats, including malicious software (i.e., malware), such as viruses, worms, Trojans, etc., as well as system and network attacks, such as denial of service attacks, etc.
There are different methods for detection of malicious software and attacks. The conventional signature method is based on the creation of unique code signatures or behavior templates for malware and their subsequent comparison with a suspect program or file. However, information about new malware usually reaches antivirus companies with delay. It also takes a considerable time for updates containing new malware signatures to be sent to the computers of antivirus software users. Consequently, there is a substantial time lag between the emergence of new malware and the receipt by the users of updated malware signature, and during this time a large number of computers may be infected with malware.
Heuristic analysis is another conventional method for detection of malware, which is based on the analysis of program code and emulation of its executable commands. This method, unlike the signature method, is more effective in detecting new malicious software. On the other hand, heuristic analysis methods have an inadequate level of detection and result in many false positives, i.e., sometimes identifying legitimate software as malicious.
Recently, there has been widespread adoption of computer defense systems that use cloud-based reputation services, such as Kaspersky Security Network. These systems are superior to the conventional systems in terms of their response time and the detection rate of new malware. Typically, a plurality of reputation services is used to form a cloud infrastructure of the antivirus company. These services collect from antivirus applications deployed on users' computers and analyze information about attempted malware infections and unknown suspicious files that were downloaded and executed on the user's computers. Using cloud services, an antivirus company can react rapidly to new security threats while reducing the number of false malware detections by leveraging information from many of its users.
The cloud reputation services of the antivirus company may use different factors to analyze whether files and programs detected on users' computers are safe or malicious. Some of these factors are described, for example, in the commonly owned U.S. Pat. No. 7,640,589. These factors may include, but not limited to, the presence of a digital signature of the analyzed program; the time of creation and first detection of the program; the reputation of the program, which can be based on the total number of users of this program; the geography of program's usage, etc. The program may also be analyzed in the cloud using conventional analysis methods and with the assistance of virus analysts. The resulting decision as to the safety or maliciousness of the program may be sent to all users of the cloud reputation services who executed this program on their computers or downloaded it from the Internet.
In spite of the high level of detections provided by the cloud reputation services, they can be discredited through the actions of unauthorized users or malware attacks. For example, an unauthorized user or malware residing on user's computer that knows the protocol for communication with the cloud reputation service can send false information to the cloud service. In another example, before a new type of malware is released into the Internet, the malware creator can send to the reputation service information confirming “safety” of this malware from a large number of trusted computer user, which may convince the cloud reputation service that the malware is in fact safe. Consequently, when the malware is released into the Internet, other users of antivirus software will accept it as safe as well.
Accordingly, there is a need for a mechanism for protecting cloud-based reputation services from unauthorized access and malware attacks.